nmap result
all the links in 2 are static leading to home page
3 leads to a new page:
There are some examples here , looks like we can generate the formulas with this tool whatever is running behind , also to look for it's a php file for the eqn: \frac{123}{234}
like
can we give command here:
nope not working
This is some kind of software like working
This software must be somewhere on internet , so it must have some vulnerability too , I always first search the exact software vuln on google and I landed on this blog:
https://infosecwriteups.com/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a
Whenever you see a user input in a vulnerable machine , there is a high chance that it is vulnerable
So we know this for sure that whatever may be the scenario , this endpoint is vulnerable , we just need to make sure that we provide the right payload , after going through the article above , it said 3 articles we get some basic payloads , whenever I try them I get:
Then I landed on this blog:
Reference
https://faculty.math.illinois.edu/~hildebr/tex/course/intro2.html
so we need to lace our payloads with this that makes our string start and end and this Payloadsallthethings also mentions it:
reference:https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection
I tried many payloads here :
and this one worked:
$\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}$
I altered the text to /etc/passwd
.htpasswd file is a file that contains the password of the user
Reading the file .htpasswd for user password:
$\lstinputlisting{/var/www/dev/.htpasswd}$
how did we get this /dev/?:
do the dns enum
This is the hash generated by the htpasswd command when googling the first strings of the hash $apr1$ it's apache hash and that too md5 so when we try to search in hashcat:
hashcat -h | grep -i "md5" | grep -i "apache"
gives the hash number
command:
hashcat -m 1600 -a 0 <passwrd> <wrdlst>
calculus20
Always remember to have an image of a freshly instaled linux and whatever might not align in the image that you are doing , probably is there for a reason of priv-esc
like here:
while searching for the writable directory , why the opt has one?
wierd huh?
I wrote a bash script with the commands:
bash /bin/bash
Nope didn't work , so searched this exact term gnuplot in google
we had to place a file with gnuplt format:
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/gnuplot-privilege-escalation/
The catch here was to look at the jobs , we just need to place the file here
It was automatically executing it , so put up a listener and wait